Index: openacs-4/packages/acs-core-docs/www/xml/kernel/permissions-design.xml =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/xml/kernel/permissions-design.xml,v diff -u -N -r1.1 -r1.2 --- openacs-4/packages/acs-core-docs/www/xml/kernel/permissions-design.xml 13 Mar 2001 22:59:26 -0000 1.1 +++ openacs-4/packages/acs-core-docs/www/xml/kernel/permissions-design.xml 2 Feb 2002 03:47:32 -0000 1.2 @@ -1,5 +1,5 @@ - -ACS 4 Permissions Design + +OpenACS 4 Permissions Design by John Prevost and Rafael H. Schloming @@ -40,7 +40,7 @@ at least one permissions API call, and some will make several. For programmers, the Permissions API provides a means to work with access -control in a consistent manner. If a programmer's ACS package defines new +control in a consistent manner. If a programmer's OpenACS package defines new methods for itself, the Permissions API must provide simple calls to determine whether the current user is authorized to perform the given method. In addition, using the Permissions API, queries should easily select only @@ -57,7 +57,7 @@ Historical Considerations -In earlier versions of the ACS, permissions and access control was handled +In earlier versions of the OpenACS, permissions and access control was handled on a module-by-module basis, often even on a page-by-page basis. For example, a typical module might allow any registered user to access its pages read-only, but only allow members of a certain group to make changes. The way @@ -68,7 +68,7 @@ Problems resulting from this piecemeal approach to permissions and access control were many, the two major ones being inconsistency, and -repeated/redundant code. Thus the drive in ACS 4 to provide a unified, +repeated/redundant code. Thus the drive in OpenACS 4 to provide a unified, consistent permissions system that both programmers and administrators can readily use. @@ -126,7 +126,7 @@ -A relation describing the set of methods directly +A relation describing the set of methods directly associated with each privilege. @@ -135,7 +135,7 @@ -A relation describing which privileges directly +A relation describing which privileges directly "contain" other privileges. @@ -145,7 +145,7 @@ A table with one (party, object, privilege) -row for every privilege directly granted on any object in +row for every privilege directly granted on any object in the system - this is a denormalization of acs_privilege_method_rules and acs_privilege_hierarchy @@ -202,7 +202,7 @@ -In general, only acs_object_party_method_map +In general, only acs_object_party_method_map should be used for queries from other modules. The other views are intermediate steps in building that query. @@ -251,7 +251,7 @@ Queries on permissions -"Modification of methods and privileges." This +"Modification of methods and privileges." This refers to actions that happen mainly at package installation time - a package will create a number of methods for its own use, then associate them with the system's standard privileges, or new privileges which the package has @@ -263,7 +263,7 @@ web page for manipulating these features should be limited to site-wide administrators. -"Modification of permissions" - involves fairly +"Modification of permissions" - involves fairly common operations. Users are typically able to administer permissions for objects they themselves create. The two basic operations here are "grant" and "revoke". Granting permissions is done via @@ -276,7 +276,7 @@ an object, the user must have the administer_privileges method permission on that object. -"Queries on permissions" - by far the most +"Queries on permissions" - by far the most common operation is querying the permissions database. Several kinds of questions are commonly asked: First, and most commonly, "Can this party perform this method on this object?" Two Tcl functions are provided to @@ -305,7 +305,7 @@ The API to the permissions system consists of a few well-known tables, plus a pair of PL/SQL procedures and a pair of Tcl functions. -Tables +Tables acs_methods, acs_privileges, and acs_privilege_method_rules manage the set of permissions in the @@ -321,7 +321,7 @@ (which is a view) nor acs_permissions should be updated directly. -PL/SQL Procedures +PL/SQL Procedures acs_permissions.grant_permission introduces new permissions for an object. It should be given an (object, party, @@ -352,7 +352,7 @@ These procedures are defined in permissions-create.sql -Tcl Procedures +Tcl Procedures Two tcl procedures provide a simple call for the query, "Can this user perform this method on this object?" One returns true or false, the @@ -471,10 +471,10 @@ -Document Revision # -Action Taken, Notes -When? -By Whom? +Document Revision # +Action Taken, Notes +When? +By Whom?